Vulnerabilities > Pivotx

DATE CVE VULNERABILITY TITLE RISK
2017-10-02 CVE-2017-14958 Unrestricted Upload of File with Dangerous Type vulnerability in Pivotx 2.3.11
lib.php in PivotX 2.3.11 does not properly block uploads of dangerous file types by admin users, which allows remote PHP code execution via an upload of a .php file.
network
low complexity
pivotx CWE-434
6.5
2017-06-06 CVE-2017-9332 Cross-site Scripting vulnerability in Pivotx 2.3.11
The smarty_self function in modules/module_smarty.php in PivotX 2.3.11 mishandles the URI, allowing XSS via vectors involving quotes in the self Smarty tag.
network
pivotx CWE-79
4.3
2017-05-31 CVE-2017-8402 Code Injection vulnerability in Pivotx 2.3.11
PivotX 2.3.11 allows remote authenticated users to execute arbitrary PHP code via vectors involving an upload of a .htaccess file.
network
low complexity
pivotx CWE-94
6.5
2017-04-07 CVE-2017-7570 Code Injection vulnerability in Pivotx 2.3.11
PivotX 2.3.11 allows remote authenticated Advanced users to execute arbitrary PHP code by performing an upload with a safe file extension (such as .jpg) and then invoking the duplicate function to change to the .php extension.
network
low complexity
pivotx CWE-94
6.5
2015-07-08 CVE-2015-5458 Unspecified vulnerability in Pivotx
Session fixation vulnerability in fileupload.php in PivotX before 2.3.11 allows remote attackers to hijack web sessions via the sess parameter.
network
pivotx
6.8
2015-07-08 CVE-2015-5457 Improper Input Validation vulnerability in Pivotx
PivotX before 2.3.11 does not validate the new file extension when renaming a file with multiple extensions, which allows remote attackers to execute arbitrary code by uploading a crafted file, as demonstrated by a file named foo.php.php.
network
low complexity
pivotx CWE-20
7.5
2015-07-08 CVE-2015-5456 Cross-site Scripting vulnerability in Pivotx
Cross-site scripting (XSS) vulnerability in the form method in modules/formclass.php in PivotX before 2.3.11 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO, related to the "PHP_SELF" variable and form actions.
network
pivotx CWE-79
4.3
2014-04-15 CVE-2014-0342 Arbitrary File Upload vulnerability in PivotX 'fileupload.php'
Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.
network
low complexity
pivotx
7.5
2014-04-15 CVE-2014-0341 Cross-Site Scripting vulnerability in Pivotx
Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to objects.php; or the (5) email or (6) nickname field to pages.php, related to templates_internal/users.tpl.
network
pivotx CWE-79
3.5
2012-08-13 CVE-2012-2274 Cross-Site Scripting vulnerability in Pivotx
Cross-site scripting (XSS) vulnerability in pivotx/ajaxhelper.php in PivotX 2.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the file parameter.
network
pivotx CWE-79
4.3